@stephenw10 said in pfSense stops responding after login on Netgate MBT-2220:

How are you logging in that seems to trigger this? At the webgui?

Can you login via SSH or use the physical console? If you have a physical console connected when this happens it may show what is happening or at least allow you investigate or reboot cleanly. Or if it stops responding there it's also a indication.

Steve

Thanks for replying, Steve. The problems occur when I log in through the web GUI. When I've tried to log in using SSH or the console after a GUI login and the system has stopped responding, those attempts failed. No login prompt appeared. pfSense had simply stopped responding.

To be honest, I haven't tried to log in using SSH or a physical console prior to logging in through the web GUI. But I'll give it a try this weekend and report back.

Yeah, that looks like no default route. So make sure you have a default gateway set then check Diagnostics > Routes and make sure a default route is shown.

Steve

@stephenw10 Perfect! Thank you.

Mmm, probably going to need a script to do it. You might be able to define a custom Snort rule to detect that which would be nice. But it will only throw an alert when it sees it. No way I'm aware if to send a notification based on that alert. Maybe if you were exporting the Snort logs you could have something else setup to do parse them and do that.
Neither of those things are anything I've ever tried.

Steve

@stephenw10 I was fully stopped, not a timing issue. I figured it out much later because the usage of haproxy/squid is optional. I do not use clamav or other filters, the proxy being 100% for caching.

Unrelated to the original question one hour ago I found an issue specific to squid: it breaks use of wss:// (web sockets) and so far I was not able to find info about how to avoid it (if is even possible). Clearly this has nothign to do which pfsense.

You can just filter the logs by IP change and you will see changes listed for the time covered by the logs:

0_1547055636621_Selection_544.png

That does show all 'WAN' type connections so an OpenVPN client connection also in my case there.

Steve

@stephenw10

Hi,

Thanks for the answer. I will do what you recommended me. Have a nice day

Regards,

The AMI for the 2.4.4p2 release should be available in that region. It's being tested now.

Steve

@stephenw10 Got it thanks ...

I've been using airVPN for years and would recommend it, fast and stable.

Thanks all, this has been very helpful!

Ah OK.

Upgrading to 2.4.4p2 has resolved my problem.

Do what the logs files says.

edit :
IE : goto console mode, option 8 and enter

Not many steps here. If it were me I would:
Remove the any allow all rule on the interface for the subnet in question.
Add a rule to allow DNS to the interface IP.
Create an alias containing the IP addresses of the sites you want to allow.
Add a rule to pass traffic from the subnet to that alias for TCP.
If you really wanted to restrict further use a ports alias to allow only ports 80 and 443 as the destination too.

BUT... that will only work well for sites that resolve to a single IP address or only if you have all the resolvable IPs in the alias. So it will not work for Facebook, Youtube etc. Or at least not well.

Steve

He doesn't want to hear the facts nor listen to the guidance we are trying to put forward. He does not want an answer to a complex question. He wants an answer to a simple question.

The answer to the latter is: https and 443.

I just read that it actually needs MSS Clamping to be 1350 or MTU at 1400 and misread the line in the pfSense as being MTU and not MSS. I just realized my mistake it's been a long three days in troubleshooting this. I just stopped and started the IPSec service on the Azure appliance after making that change and it worked the first few tries (this has happened a few times). I'll go ahead and continue testing to see if the results stick.

@mattzap said in Help with troubleshooting low interface throughput:

Ah-ha! Yes, I do have AT&T. Here's the relevant threads I just found:

https://forum.netgate.com/topic/138604/sudden-drop-in-throughput-900-900-on-modem-vs-30-100-on-pfsense/14 https://forum.netgate.com/topic/112691/wan-throughput-capping-at-500mbps-att-gigapower/3 https://forums.att.com/t5/AT-T-Fiber-Equipment/DMZPlus-mode-in-my-Pace-5268AC-causing-browsing-to-not-work-but/td-p/5712305

I haven't read through all of this yet, but it all starts out matching my situation exactly. I'll report back when I get a chance to get up to speed on this and see if it turns out to be my issue.

Thanks!

Yep, those are some of the relevant threads. I think the user found a solution on the AT&T forums.

Yes, if anywhere it would be using Snort or Suricata with custom rules files.

Better to ask in the IDS/IPS section for help with that.

Steve